Contrary to popular belief, security is important not only during data transport between one computer and another computer, but also after transport. In the process of doing a transaction the path that data follows is oftentimes complex and long, involving multiple hops. If a small section of this path is insecure, the security of the entire transaction and the system is compromised.
Today, many systems that are seemingly secure are in fact insecure. Designers and architects usually focus on the security issues relating to the transmission of data between the client and the server, while other segments of the data transmission value chain are assumed to be secure and do not get much attention. Many of today's Web site and Web application vulnerabilities are directly applicable to Web services as these and other legacy systems are oftentimes just being wrapped and made available as Web services. Figure 8-2 illustrates the security lapses of many of today's otherwise secure systems.
Figure 8-2. The security lapses of many of today's seemingly secure systems.
In this section, we describe some of these security holes in more detail and discuss how to address them.
Data Handling and Forwarding
Consider filling out a Web-based form for purchasing goods online. Typically, such online forms say that information entered into the form is secure. That is usually sufficient for the user to enter sensitive and personal information into the form and send it off over the network. The information is usually encrypted and secure as it is transferred between the client application (e.g., a browser) and the server. Once the data reaches the server, it is decrypted and is no longer secure. How companies handle and forward this open data creates potential security vulnerabilities.
Many businesses forward this data via electronic mail to the appropriate representative who can handle the customer's request. The transmission of this data, which is now in the clear, from the server to the representative's electronic mailbox as well as from the electronic mailbox to the representative's e-mail client presents many opportunities for this personal data to be misappropriated. Someone running a packet-sniffing program can easily access the data. Moreover, any administrators of the e-mail server can also access the decrypted data.
Worse yet, some companies take the decrypted data from the server and forward it to the appropriate representative to handle the customer request as a hardcopy printout, a fax, or a voice phone call. Each of these modes of data handling and forwarding present numerous opportunities to steal the customer's personal information.
There are many means to address these types of data handling and forwarding problems. The first is simply to re-encode and encrypt the data before the server forwards it. Another solution is to encrypt the data so that it can be partially decrypted by the receiving server. The partial decrypt allows only routing information to be gathered so the information can be forwarded to the appropriate representative as encrypted data. We take a closer look at this type of technology later in this chapter.
Finally, it is important to realize that security issues and transaction risks cannot be eliminated through technology alone. Security is a process and set of policies that must be adhered to not only by computers, but also by people who come into contact with sensitive information. Clear policies must be instituted, and people must be trained, monitored and held accountable.
Many businesses routinely backup their data, including customers' personal information, to a disk drive or magnetic tape. Continuing with the above example, the server that receives and decrypts the information from the client may backup the data for some time period just in case the e-mail or hardcopy becomes lost prior to fulfilling the request. Many sites simply store all of the decrypted information as a flat text file on another hard disk drive.
All of this personal information is aggregated as decrypted in-the-clear information into a single place for a malicious user to access. Any administrator with access to the hard disk drive can potentially misappropriate the personal data. If, by mistake or by malicious intent, an administrator sets the access permissions of this data to be readable by others, even more people can steal the information. The situation is worse for sites that are hosted by a hosting company. In this case, the administrators and users of other sites that are co-located on the same server can also misappropriate personal data.
Errors in Identity
There are many assumptions made in the process of securing a system. One of these assumptions is that the identity of a person or an entity is in fact correct. Identities are usually validated through digital certificates that prove to others that an entity is in fact who it claims to be. Digital certificates are granted to companies by a number of companies who are responsible for verifying the identity of a company. The assumption that most make is that the company responsible for verifying each entity and granting a digital certificate has properly done its job. Through breaches of process, human error, and sometimes malicious intent, this assumption is not valid.
In this case, there are limited options. And, thankfully, these situations are rare. Nonetheless, it is important to be aware of these situations and to question these and other assumptions that underlie modern security techniques and technologies.
Implementing secure systems is difficult. Architects and designers charged with such tasks must not only look at the exchange of data between the client and the server, but the entire end-to-end path that data takes. This includes analyzing not only the technologies that are used but also the business processes that are used once the server receives the data from the client. As more and more Web applications and Web sites are simply repackaged, wrapped, and exposed as Web services, these security risks and issues will pervade Web services environments as well.